Jaff Ransomware Targets Millions, While vCrypt1 Attacks on the Cheap

Ransomware is a great source of income for many crime groups, but not all variants are created equal. Two new strains, Jaff and vCrypt1, demonstrate the (very) opposite ends of the spectrum. Both are virulent, with the former targeting millions in just the last 24 hours.

Jaff, originally identified by security researcher S!Ri, is notably leveraging the ongoing Necurs spam campaigns to cast a rapid and wide net. Cisco Talos alone has observed more than 100,000 emails related to Jaff since yesterday. Check Point meanwhile said that its global sensors are registering a rate of approximately 10,000 emails sent per hour. And Forcepoint Security Labs said that it has observed a telemetry peaking at nearly 5 million emails per hour, with 13 million+ mails sent so far.

“The campaign makes a large reuse of files; the exact same malicious files were spotted at hundreds of different users’ email boxes,” Check Point noted in a blog.

Domains associated with all regions of the world have been observed being targeted.

Carl Leonard, principal security analyst at Forcepoint, said via email that while it's easy to initially be dismissive of broad-reach email campaigns such as this, it’s important not to underestimate its effectiveness and sophistication.

“The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point of interaction with systems is the most vulnerable point: by potentially reaching so many people, campaigns such as this can—and do—succeed in infecting people,” he said, in a blog. “This broad scope, coupled with low antivirus detection rates at the time of the campaign, once again highlights the necessity of defense-in-depth across the lifecycle. The actors behind the campaign have expended significant resources on making such a grand entrance. It would be surprising if they let themselves fade from the limelight as suddenly.”

Jaff has been observed to be nearly identical to Locky in many ways, including using a PDF that opens up a Word document with a macro. It also uses a similar payment page. That said, a big difference, according to Jerome Segura, lead malware intelligence analyst at Malwarebytes, is that Jaff is asking for an astounding 2 BTC (about $3,700 at the time of writing)—well above the typical ransom demand.

Importantly, the code base is also different, according to Cisco Talos.

"There are certain characteristics associated with the campaigns being used to distribute Jaff and the C2 traffic patterns it uses that are similar to what we’ve become accustomed to while monitoring Locky and Dridex activity across the threat landscape,” Talos researchers said in an analysis. “However, we are confident that this is not simply a new or retooled version of Locky ransomware. There is very little similarity between the two code bases, and while it is possible that the same actors who once used Necurs to spread Locky has switched to distributing Jaff, the malware itself is distinct enough in nature that it should be treated and referred to as a different ransomware family altogether."

Sophisticated ransomware like Jaff tends to employ strong encryption techniques with a large operation behind it, including a whole backend infrastructure that includes support staff that can provide decoding services once a ransom has been paid.

vCrpyt1 is not that.

This ransomware, uncovered by SentinelOne, was clearly created on the cheap. It doesn’t include any stealth infection techniques, but rather uses social engineering in the form of a scary text file with instruction and a very basic XOR of the files content. As for backend support, vCrypt1 simply uses an email address that can be used to negotiate the “decryption” of the victims’ files.

“Even in its simplicity, it can still prove to be very profitable,” researchers noted. “Ransomware [can require] very little investment from the attacker or attacker group…it is also possible that the perpetrators are installing vCrypt1 as a service from dark-net providers or they are renting botnets to send mass phishing emails. All of which is very inexpensive for the attacker.”

With a ransom message and accompanying files that are in Russian, vCrypt1 was likely developed to attack Russian targets, by Russian attack groups. But it’s a good example of how even the simplest code can be extremely effective.